Archive for November 24, 2021

Ring Black Friday & Cyber Monday Deals & 2021 Year in Review

Posted in Commentary with tags on November 24, 2021 by itnerd

The holidays aren’t slowing down Ring’s momentum as the company is introducing new festive customizations for devices like the new Quick Replies and Chime Tones. In addition to all of these new devices and features, Ring is also offering deals on many devices for the gift giving season.

NEW from Ring

  • Package Alerts: Package Alerts send customers a notification when packages are delivered within their designated package zone. Package Alerts are available just in time to keep an eye on holiday deliveries, and ahead of Package Protection Day coming up on December 1. The holiday was created by Ring in 2016 to educatepeople about how to keep their packages safe following Black Friday and Cyber Monday. Currently, Package Alerts are rolling out to Ring Video Doorbell Pro 2 and Ring Video Doorbell (2020).
  • Holiday Customizations
    • New Holiday Quick Replies: With Quick Replies, a Ring Video Doorbell becomes an interactive answering machine with six preset responses for users to choose from. This season, users can greet guests at the door with responses such as:
      • “We’re busy wrapping presents right now. If you’d like to leave a message, you can do it now.”
      • “Happy Holidays! If you’d like to leave a message, you can do it now.”
      • “Be right there! We’re getting into the holiday spirit!”
      • “Please leave the package outside. Thanks for getting our presents here safely!”
    • Holiday Chime Tones: Ring Video Doorbell users can activate a variety of sounds as their Chime Tone and have them play each time a guest is at the door. Put your home in the holiday spirit with Chime Tones such as Deck the Halls, Elves, God Rest Ye Merry Gentlemen, Hark the Herald Angels Sing, Ho Ho Ho!, Jingle Bells, Silent Night, Sleigh Bells, I Have a Little Dreidel, Ma’oz Tzur and Oh Hanukkah.

The Perfect Gift for Everyone on your List

  • For the New Homeowner: The Floodlight Cam Wired Pro includes ultra-bright LED floodlights and Ring’s most advanced outdoor security camera yet equipped with 3D Motion Detection and Bird’s Eye View, giving homeowners more insight into what’s happening around their property.
  • For the traveler: Keep a close watch over your presents and packages as they arrive with the Ring Video Doorbell Pro 2 It includes Head-to-Toe View, 3D Motion Detection, and Quick Replies, the interactive answering machine feature that lets you answer the door with six preset responses right from the Ring App.
  • The budget gift: Ring Video Doorbell Wired is just $79, making it the perfect gift for college students, new homeowners, or even your neighbors. It’s Ring’s most affordable and compact doorbell yet, and a perfect start to smart home security.

Holiday Shopping Deals from Ring

  • Black Friday + Cyber Monday: As the holiday season sneaks up on us, so do the biggest shopping days of the year. Here are the top deals to look out for from Ring this coming Black Friday and Cyber Monday:
    • Available from November 21 – November 29:
      • Ring Floodlight Cam Wired Pro is $259.99 – $65 off!
      • 5 Piece Ring Alarm Security Kit – $164.99 – $105 off!
      • 8 Piece Ring Alarm Security Kit – $204.99 – $135 off!
    • Available from November 25 – November 29:
      • Ring Video Doorbell Wired is $55.99 – $24 off!
      • Ring Video Doorbell (2020 release) is $104.99- $25 off!
      • Stick Up Cam Battery is $97.49 – $32.50 off!
      • Stick Up Cam Plug-In is $97.49 – $32.50 off!
      • Spotlight Cam Battery is $179.99 – $70 off!
      • Spotlight Cam Wired is $179.99 – $70 off!
    • Available November 27 – 29:
      • Ring Indoor Cam is $59.99 – $20 off!

To learn more about Ring, visit www.ring.com. To learn more about Ring and privacy, visit Ring’s Privacy Page. This page is dedicated to helping neighbours of Ring customers learn more about their approach to privacy, security, and user control.

Guest Post: Businesses under rising ransomware attack threats ahead of Black Friday Says Atlas VPN

Posted in Commentary with tags on November 24, 2021 by itnerd

Retailers should not overlook their preparedness for different types of cyberattacks, as cybercriminals get more intense this season by exploiting vulnerabilities left on e-commerce sites.

According to the recent findings by the Atlas VPN team, retail and commerce businesses are under rising ransomware attack threats ahead of Black Friday sales. Furthermore, malware and social engineering attacks are at the top of methods used to threaten businesses.

In Q1 2020, the ransomware attack percentage among malware attacks on retail and commerce stood at 11%. As the year progressed, the figure jumped to 33% in the second quarter and stayed the same in the third quarter

In the first quarter of 2021, hackers came out strong right away, as ransomware attack percentage among malware attacks on retail and commerce industries reached 83%. Cybercriminals were not stopping in the second quarter, as the figure jumped to its highest point — 95%.

Ahead of Black Friday sales, retail and commerce are becoming an even more attractive target for cybercriminals. Businesses hit with a ransomware attack in the middle of the discount season could face irreversible monetary losses and customer distrust.

Different attack methods

Hackers tend to employ many different attacking methods, depending on what their goal is. 

Among other attack methods, malware attacks accounted for 59% of threats to retail and commerce in Q2 2021. Malware can carry ransomware, adware, spyware, and many other types of attacks.

Social engineering attacks made up 53% of threats among other methods launched at retail and commerce companies. Such attacks heavily rely on human interaction and manipulation to click on a phishing link or break usual security procedures.

Hacking attacks accounted for 26% of threats directed at retail and commerce businesses. Hackers attempt to access computers by exploiting vulnerabilities to steal data, install malware, conduct a ransomware attack, or gain access to a network.

In Q2 2021, retail and commerce enterprises were targeted by 21% of web attacks, among other methods. Cybercriminals exploit vulnerabilities on e-commerce websites to obtain customers’ orders, including their sensitive data.

To read the full article, head over to: https://atlasvpn.com/blog/businesses-under-rising-ransomware-attack-threats-ahead-of-black-friday

Follow Up Review: AirPods Pro With MagSafe Case

Posted in Products with tags on November 24, 2021 by itnerd

After reviewing the AirPods Pro With MagSafe Case, I have found a few observations that I’d like to share, as well as a feature that I didn’t cover in my original review.

The first observation is that when I used these to watch some YouTube videos using my 16″ MacBook Pro, I noticed that the spatial audio was live. When I turned my head away from the screen, the AirPods Pro would trick my brain into thinking that the audio was coming from the left or the right. It’s kind of cool. While I might not leverage this feature every day, I may use the free trial of Apple Music that came with the AirPods Pro to try some tracks with Dolby Atmos and spatial audio just to see how good this feature really is.

The second observation is with this case, I found this case to be insanely slippery. Especially if your hands have moisture on them. My concern is that if they slip out of my hands, the case will crack or scratch. Thus I was forced to get this case to protect the case and give it some extra grip. Apple might be well served to come up with a case that didn’t have this issue.

Then there’s a fit. I spent this week trying all the sets of ear tips that come with the AirPods Pro and settled on the large ones. This was a good combination of comfort and having them stay in my ears. In my case, the medium ear tips were not snug enough, and the small ones were way too loose. I would suggest that anyone who buys these spend some time to find the ear tips that works best for them. One other thing on this front. Removing them will scare the crap out of you as you really have to pull on them to remove them. But once you do this a couple of times, you’ll have no issue going forward.

Finally there’s transparency mode. I have to admit, it’s kind of freaky how good it is. And compared to the wireless earbuds that I used as a comparison as it has a similar feature, it crushed those rather easily as it sounded really natural. So this in my mind push the AirPods Pro further ahead.

The bottom line is that the AirPods Pro is still a good pair of wireless earbuds. They’re expensive, but given the features that they come with, the sound quality, and how well they work with the Apple ecosystem, they are worth it.

The Most Wonderful Time of Year for… Email Fraud 

Posted in Tips with tags on November 24, 2021 by itnerd

The holiday season is upon us, which means it’s also the busiest time of the year for online shopping. It’s also the season when cybercriminals bank on people being in a rush and distracted during this hectic season, and therefore more likely to fall victim to a scam, allowing them to cash in.

Now both AARP and FBI have tips on how to avoid scams like these. But it’s not just individuals who are targets for this sort of thing. Businesses are also targets. Mike Jones, product manager at Agari by HelpSystems has this advice for businesses who want to protect themselves:

“It’s not just individuals who are at risk. Businesses often suffer insurmountable losses in brand trust, credibility, and email deliverability, as well as millions of dollars of revenue from both fraudulent and legitimate purchases. If people fall prey to someone who has impersonated a brand, that business suffers, because every real email they send may now not be trusted. Plus, loyal or new customers might not feel safe coming to the legitimate website to make a purchase. 

Employees need to think carefully before responding to emails. Would the CFO really want you to send them gift cards? Of course not, but would a trusted supplier change their bank account details? Perhaps. Suspicious emails should be reported to your security operations team immediately so they can be verified, and, if found to be a scam, other employees can be warned.”

It may be the holiday season, but that doesn’t mean that you don’t need to have your head on a swivel. Threats are out there and you need to be careful so that you protect yourself.

Guest Post: A Long List Of Arkei Stealer’s Crypto Browser Wallets According To Minerva Labs 

Posted in Commentary on November 24, 2021 by itnerd

Arkei is an information-stealer, distributed as a malware as a service (MAAS). It collects sensitive information such as application passwords, credit card information, web browser cookies and can even download additional payloads from the C&C server. It also shares code with several other information stealers including Oski and Vidar.

Arkei Stealer’s main purpose is to collect passwords, cookies, auto-complete data, desktop files, machine data, installed software, etc. In 2021, Arkei’s authors extended its crypto wallet stealing capabilities, as well as the addition of anti-debugging and anti-emulation checks, to thwart its analysis and detection rates.

We analyzed a sample found by @James_inthe_box and created a complete list of the browsers and crypto browser wallets that Arkei Stealer tries to steal. 

First, let’s talk about the evasion techniques this stealer performs. Arkei performs two well-known anti-debugger checks:

1. It calls ntdll!NtQueryInformationProcess with ProcessInformationClass set to 7 (ProcessDebugPort) – this call returns a DWORD value equal to 0xFFFFFFFF ( –1 in decimal) if the process is being debugged:

anti-debugger check

Figure 1 – NtQueryInformationProcess anti-debugger check

2. Timing check using kernel32!GetTickCount function – when debugging in a single-step mode, a lag occurs while running the executable. Arkei checks a timestamp and compares it to another one after a few instructions, to check for a delay:

timing anti-debugger check

Figure 2 Timing anti-debugger check

Arkei Stealer employs another evasion technique (akin to Vidar stealer’s anti–emulation technique), which checks the computer name and the username running the Arkei executable. The malicious process will terminate itself if the computer name is “HAL9TH” and the username is “JohnDoe” (which is the default computer name and default username respectively of the Windows Defender emulator):

anti-emulator check

Figure 3 Anti-emulator check

To learn more about how Minerva Labs can protect your business contact us. 

Arkei also checks if any of the following DLL’s are loaded into the process:

  • avghookx.dll – AVG Internet Security.
  • avghooka.dll – AVG Internet Security.
  • snxhk.dll – Avast Antivirus.
  • sbiedll.dll – Sandboxie.
  • api_log.dll – CWSandbox.
  • dir_watch.dll – iDefense SysAnalyzer.
  • pstorec.dll – SunBelt Sandbox.
  • vmcheck.dll – VirtualPC.
  • wpespy.dll – Sandbox.
  • cmdvrt32.dll – COMODO Internet Security.
  • cmdvrt64.dll – COMODO Internet Security.

This stealer will terminate itself if the language identifier of the Region Format setting of the current user is one of the following:

  • 43Fh – Kazah
  • 443h – Uzbek – Latin
  • 419h – Russian
  • 82Ch – Azeri-Cyrillic
  • 423h – Belarusian 

This might indicate that the author comes from one of the above countries where it is a common technique, used in order to not draw the attention of the local authorities.

If all the above checks pass successfully, the malware will continue its intended purpose.

Arkei steals passwords, cookies, and autofill information from the following 32 web browsers:

Google ChromeChromium
Microsoft EdgeKometa
AmigoTorch
OrbitumComodo Dragon
NichromeMaxthon 5
SputnikVivaldi
CocCocUran
QIP SurfCentBrowser
ElementsTor
CryptoTabBrave
OperaOperaGX
OperaNeonFirefox
SlimBrowserPaleMoon
WaterfoxCyberfox
BlackHawkIceCat
KMeleonThunderbird

Arkei Stealer is one of the most threatening types of malware for cryptocurrency holders, due to the vast list of crypto browser wallets the malware can compromise and steal user’s assets from. Arkei steals these credentials by copying all the files stored in the browser’s extension folder. For example, if the victim uses Google Chrome with a crypto browser wallet extension, the extension files will be stored in:

  • C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Extension ID from Google Store
  • C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ Extension ID from Google Store
  • C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\Domain Name.indexeddb.leveldb

Arkei steals the data from the following crypto wallets:

Crypto browser walletExtension ID
TronLinkibnejdfjmmkpcnlpebklmnkoeoihofec
MetaMasknkbihfbeogaeaoehlefnkodbefgpgknn
Binance Chain Walletfhbohimaelbohpjbbldcngcnapndodjp
Yoroiffnbelfdoeiohenkjibnmadjiehjhajb
Nifty Walletjbdaocneiiinmjbjlgalhcelgbejmnid
Math Walletafbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbase Wallethnfanknocfeofbddgcijnmhnfnkdnaad
Guardahpglfhgfnhbgpjdenjgmdgoeiappafln
EQUA Walletblnieiiffboillknjnepogjhkgnoapac
Jaxx Libertycjelfplplebdjjenllpjcblmjkfcffne
BitApp Walletfihkakfobkmkjojpchpfgcmhfjnmnfpi
iWalletkncchdigobghenbbaddojjnnaogfppfj
Wombatamkmjjmmflddogmhpjloimipbofnfjih
MEW CXnlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWalletnanjmdknhkinifnkgdcggcfnhdaammmj
Saturn Walletnkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Walletfnjhmkhhmkbjkkabndcnnogagogbneec
NeoLinecphhlgmgameodnhkjdmkpanlelnlohao
Clover Walletnhnkbkgjikgcigadomkphalanndcapjk
Liquality Walletkpfopkelmapcoipemfendmdcghnegimn
Terra Stationaiifbnbfobpmeekipheeijimdpnlpgpp
Keplrdmkamcknogkgcdfhhbddcghachkejeap
Solletfhmfendgdocmcbmfikdcogofphimnkno
Auro Walletcnmamaachppnkjgnildpdmkaakejnhae
Polymesh Walletjojhfeoedkpkglbfimdfabpdfjaoolaf
ICONexflpiciilemghbmfalicajoolhkkenfel
Nabox Walletnknhiehlklippafakaeklbeglecifhad
KHChcflpincpppdclinealmandijcmnkbgn
Templeookjlbkiijinhpmnjffcofjonbfbgaoc
TezBoxmnfifefkajgofkcjkemidiaecocnkjeh
Cyano Walletdkdedlpgdmmkkfjabffeganieamfklkm
Byonenlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKeyinfeboajgfhgbjpjbeppbkgnabfdkdaf
LeafWalletcihmoadaighcejopammfbmddcmdekcje
DAppPlaylodccjjbdhfakaekdiahmedfbieldgik
BitClipijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychainlkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extensiononofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Clientbcopgchhojmggmffilplmbdicgaihlkp
ZilPayklnaejjgbibmhlephnhpmaofohgkpgkd
Coin98 Walletaeachknmefphepccionboohckonoeemg

The sample that we analyzed steals data pertaining to stored browser passwords and 2FA extensions such as:

  • Authenticator
  • Authy
  • EOS Authenticator
  • GAuth Authenticator
  • Trezor Password Manager

This malware takes advantage of the fact that an increasing number of employees use their organizations’ endpoints for day-to-day activities, such as online purchasing and cryptocurrency activities. Electronic wallets are becoming increasingly common, making it easier for end-users to expose the corporate network to external attacks.

Minerva Lab’s Hostile Environment Simulation Module prevents Arkei Stealer from executing on the victim’s PC, protecting the corporate network and user’s private data.

IOC’s:

Hashes:

  • 388e833740f160ceb5946b7c5e89c5af08dde862a7dd38344149e72dea7ec00d – app59.exe

Domains:

References:

https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html

https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess

Apple Will Alert Users Targeted By The NSO Group…. And Details How You Can Protect Yourself From Being A Target

Posted in Commentary with tags on November 24, 2021 by itnerd

Yesterday, Apple announced that it was suing The NSO Group who are purveyors of spyware to nation states, who in turn target journalists, dissidents, and activists. But Apple’s efforts don’t end there. A new support document from Apple outlines two things. First, Apple will alert users:

If Apple discovers activity consistent with a state-sponsored attack, we notify the targeted users in two ways:

  • A Threat Notification is displayed at the top of the page after the user signs into appleid.apple.com.
  • Apple sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

These notifications provide additional steps that notified users can take to help protect their devices.

And there’s this:

To verify that an Apple threat notification is genuine, sign in to appleid.apple.com. If Apple sent you a threat notification, it will be clearly visible at the top of the page after you sign in.

That’s great that Apple has your back on this front. Even though your chances of being attacked by the Pegasus spyware from The NSO Group is low. Having said that, Apple also gives you advice as to how to protect yourself:

All users should continue to protect themselves from cybercriminals and consumer malware by following best practices for security:

  • Update devices to the latest software, as that includes the latest security fixes
  • Protect devices with a passcode
  • Use two-factor authentication and a strong password for Apple ID
  • Install apps from the App Store
  • Use strong and unique passwords online
  • Don’t click on links or attachments from unknown senders

All of this is good advice. Though I would add that in terms of the last point, don’t click on links even if the sender is known unless you are actually expecting them to send you a link or attachment, as it is both easy and common to spoof sender addresses.

Here’s the last piece of advice from Apple:

If you have not received an Apple threat notification, but have good reason to believe you may be targeted by state-sponsored attackers or you require emergency cybersecurity assistance for other reasons, we strongly suggest you enlist expert help. The Consumer Reports Security Planner website offers a list of emergency resources that may be able to assist you.

Apple is clearly serious about taking on The NSO Group. I wish them luck on that front as those scumbags need to be erased from existence.